Security Alerting Systems (SASs) generate security-related alert messages indicating a potential compromise of a protected resource, such as a computing device. The alerts are transmitted to a trusted receiver for analysis and action. U.S. patent application Ser. No. 13/537,981, filed Jun. 29, 2012, entitled “Methods and Apparatus for Secure and Reliable Transmission of Alert Messages from a Security Alerting System,” now U.S. Pat. No. 9,160,539, discloses methods and apparatus for secure transmission of alert messages over a message locking channel (MLC). Alert messages are buffered at the monitored endpoint and transmitted to a collection server, such as a Security Information Event Management (SIEM) server, for further security analytics processing.
In a buffer overwrite attack, an attacker that has compromised the endpoint host may insert benign-looking fake alert messages into the buffer so that meaningful and attack-indicative alerts that were previously entered in the buffer are overwritten (and thus lost) before the next scheduled buffer transmission. Buffer overwrite attacks can be detected using a gap-rule check at the collection server where a special alert is raised if two consecutive buffers are received containing alerts that are not overlapping, i.e., a gap in the sequence of received alerts has been detected.
If there is a prolonged period of disconnection between the client and the collection server, then alerts residing in the buffer may be naturally overwritten, even without any adversarial action. Thus, when the connection is restored, the next buffer transmission will miss some alert messages. The buffer should not be enlarged incrementally by one slot at a time, specifically to accommodate new alerts, however, because the buffer size would then provide a post-compromise indication of whether alerts were recorded prior to compromise.
A need therefore exists for a dynamic storage adaptation policy where the buffer size is established in a dynamic manner so that alert messages are not lost in the event of a prolonged disconnection between the endpoint host and the remote collection server.